Duplicator Pro 1.3.14 Local Information Disclosure

Duplicator Pro version 1.3.14 and below suffer from a local information disclosure vulnerability.

MD5 | 3e7a8b3a11b1663559ba3dc5c9329650

Product: Duplicator Pro
Vendor: SnapCreek
Website: https://snapcreek.com/
Discovered by: Evolution Hosting
Version vulnerable: <= 1.3.14
Fixed in: 1.3.15+

Vulnerability Type: Information Disclosure, local exposure of entire
webinstallation content

remotely triggerable: not for itself. Needs wp admin interaction.

O== Advise

Update to 1.3.15+ version

We did not test for a possible CSRF combination (i.e. with other plugins
) to lever it to a remote executable attack. Updating your Wordpress
Plugins regularly is a smart idea in general.

O== Timeline:

25.06.2019 - problem detected
26.06.2019 - vendor contacted
27.06.2019 - first vendor reaction
05.07.2019 - silent patched version made public by vendor
05.07.2019 - working fix confirmed
26.09.2019 - 90day timer run out

O== Description:

Duplicator( Pro ) can import/export/backup Wordpress installations.
While restoring the path after an import/restore, the directory mode of
the apphome is made public, if they were private before.

O== Tested Scenario:

OS: Linux
Apache PHP: CGI with user privilege seperation
Docroot: "/home/username/public_html/"

# ls -la /home/ | grep username
drwxr-x--- 5 username webservices 4096 25. Jun 14:13 username

After Duplicator has done its import/restore:

drwxr-xr-x 5 username webservices 4096 25. Jun 14:17 username

which opens the home directory of this webapp for any other systemuser.
As fileaccessrules usually are relaxed inside a "home" directory, the
entire content along the installation path could be exposed, if the
pathpart was app owned.

This may include database credentials for wp and other apps for the same

O== Temp Fix:

If you have a similar setup as our example above, execute after a restore:

chmod o-rx /home/username

O== Impact on none Linux systems


Related Posts